CWE-668(Exposure of Resource to Wrong Sphere)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
| 類型 | 名稱 | 類 | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。
| CVE | 公開時間 | 摘要 |
|---|---|---|
| CVE-2026-14960 | 2026-07-15 | Pegatron `Tdelo64.sys` improperly exposes privileged hardware access functionality through the `\\.\TdeIo` device interface. IOCTL handlers including `TDE_IOCTL_INDEXIO_READ` and `TDE_IOCTL_INDEXIO_WR… |
| CVE-2026-45077 | 2026-07-14 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the server:log listener (Symfony\Bridge\Monolog\Command\S… |
| CVE-2026-59835 | 2026-07-14 | A exposure of resource to wrong sphere vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.3 through 4.4.8 may allow an unauthenticated attacker to access the VNC server of VM… |
| CVE-2026-53657 | 2026-07-10 | Lima launches Linux virtual machines, typically on macOS, for running containerd. Prior to 2.1.3, on an instance of Lima running with the qemu driver, an arbitrary user in the VM could access /run/lim… |
| CVE-2026-53648 | 2026-07-06 | FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.1, downloadable product files are stored using a deterministic filename-derived path. When an administrato… |
| CVE-2026-14611 | 2026-07-03 | A vulnerability has been found in DeepMyst Mysti up to 0.4.0. The affected element is the function initProjectMemory of the file src/managers/MemoryManager.ts of the component Per-Project Auto-Memory … |
| CVE-2026-57231 | 2026-06-26 | Podman is a tool for managing OCI containers and pods. From 1.8.1 until 5.8.4, a container image that contains a environment variable with just a key and no value can trick podman into passing that va… |
| CVE-2026-56077 | 2026-06-18 | PraisonAI before 1.5.115 contains an information disclosure vulnerability in the MultiAgentLedger component that allows attackers to access sensitive data by registering agents with duplicate IDs. Att… |
| CVE-2026-50202 | 2026-06-17 | Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Security.Authentication.CloudFoundryBase prior to version 3.4.0… |
| CVE-2026-53826 | 2026-06-12 | OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning c… |
| CVE-2026-47141 | 2026-06-12 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The diagnostics_channel, a… |
| CVE-2026-48096 | 2026-06-10 | OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to Op… |
| CVE-2026-42535 | 2026-06-08 | A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users… |
| CVE-2025-15653 | 2026-06-02 | Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unauthorized individuals with physical access to compromise softwar… |
| CVE-2026-46430 | 2026-05-26 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags… |
| CVE-2026-8958 | 2026-05-19 | Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
| CVE-2026-46723 | 2026-05-19 | The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data f… |
| CVE-2026-44552 | 2026-05-15 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When tw… |
| CVE-2026-45411 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the re… |
| CVE-2026-44009 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2. |
| 日期 | 名稱 | 版本 | 重要性 | 評論 |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Other_Notes |
| 2008-11-24 | CWE Content Team | 1.1 | — | updated Relationships |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Relationships |
| 2009-07-22 | CWE Content Team | 1.5 | Critical | Clarified description to include permissions. |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated Description, Relationships |
| 2009-10-29 | CWE Content Team | 1.6 | — | updated Other_Notes, Theoretical_Notes |
| 2009-12-28 | CWE Content Team | 1.7 | — | updated Relationships |
| 2010-09-27 | CWE Content Team | 1.10 | — | updated Relationships |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Relationships |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2013-02-21 | CWE Content Team | 2.4 | — | updated Relationships |
| 2013-07-17 | CWE Content Team | 2.5 | — | updated Relationships |
| 2014-06-23 | CWE Content Team | 2.7 | — | updated Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Relationships |
| 2017-01-19 | CWE Content Team | 2.10 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Modes_of_Introduction, Relationships, Relevant_Properties |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Relationships |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-04-28 | CWE Content Team | 4.7 | — | updated Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated References |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-04-03 | CWE Content Team | 4.17 | — | updated Common_Consequences, Relationships |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Relationships, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Mapping_Notes |